(1) Field of the Invention
This invention pertains to an encryption device which may be installed in communication devices which carry out encrypted communication by sharing a secret key, and especially pertains to an encryption device which can be realized with a small-scale circuit.
(2) Description of Prior Art
It is often necessary to protect data transmitted over communication lines from being illegally copied or altered by intercepting the line of communication.
For example, the data of copyrighted material such as a movie is often digitalized, compressed and digitally recorded onto an optical disc. This electronic data is retrieved by an optical disc playback device which is expanded with a data expansion device and played back by an audio/video playback device.
If the optical disc playback device and the data expansion device were separated into different devices which transmit data to one another, and this transmitted data were recorded by a data recording device and copied by a digital data copy device without the author's consent, then the movie's copyrighted material would be unlawfully copied to the effect of copyright infringement. The illegal copying of data through interception of the line of communication needs to be averted. Although for the most part a device's circuits and parts' specifications are not made known, often the electronic characteristics and signal protocols for the communication of data are, so that the illegal copying of data along the line of communication and the subsequent altering of that data becomes a serious problem.
A variety of techniques are well-known for eliminating this kind of unlawful act to protect the security of communications.
The most typical of these employ entity authentication mechanisms. Basically this a system where the sender of data authenticates the legitimacy of the receiver, and transmits data only when the receiver's legitimacy is confirmed. This keeps digital copyrighted material from being received by unauthorized devices.
In this case the entity which, like a receiver, certifies its own legitimacy is called the prover. The entity which confirms the other entity's legitimacy is called the verifier. The question here is not so much whether authentication is successful between the specified devices that carry out optical disc recording and playback, but is whether the devices conform to standards established by the optical disc-related device industry. As a consequence, the word "legitimate" is defined here as "conforming to established standards."
Prior Arts #1
The unilateral authentication method, which makes use of encryption technology recorded in the international standard ISO/IEC9798-2 is the first example of a prior art.
This authentication method is based on the prover proving to the verifier that it is in possession of the secret data known as the authentication key, without letting the key itself be known. Thus the verifier first selects random data and "throws" it to the prover. This action is called a challenge, and the thrown data is called challenge data.
The prover responds by encrypting the challenge data using the authentication key and the encryption converter it possesses. Then, it returns the encrypted data to the verifier. This action is called a response, and the data is called response data.
The verifier, which receives the response data, possesses the same authentication key and a decryption converter; which is an inverse converter for the encryption converter as those of the prover, so that the verifier now decrypts the response data received from the prover using the inverse converter. If the decrypted result matches the challenge data, the verifier judges the prover to be in possession of the authentication key, and authenticates the legitimacy of the prover. Unilateral authentication means that one side proves its legitimacy to the other.
The encryption converter T referred to here is a mapping of a collection of plaintext to a collection of encrypted text based on the key data S. Here, the relation EQU TINV(S,T(S,X) )=X
is established between plaintext X and the inverse converted TINV, which maps a collection of encrypted text to plaintext in accordance with key data S. This means that after being converted and inversely converted plaintext X returns to its original state. The inverse of the encryption converter is called the decryption converter. In order to function as an encryption converter, it must be impossible to obtain plaintext X from encrypted text T (S,X) when key S in not known. Also, the encryption converter is written as E (S, ), while the decryption converter is written as D(S, ).
FIG. 1 shows an example of the authentication method recorded in the above Standards.
An illustration of digital copyrighted material mj being transferred from the first device 11 to the second device 12 is shown in FIG. 1. Here first device 11 is confirming the legitimacy of second device 12.
Below is a description of the conventional unilateral authentication method following the numbered steps shown in the diagram.
(1) The first device 11 generates random number R1. This is then transmitted to second device 12 through the line of communication as challenge data.
(2) When second device 12 receives this random number, the secret authentication key S loaded inside device 12 is used to encrypt this random number. The result, C1, is then transmitted along the line of communication to first device 11 as response data.
(3) When first device 11 receives this response data, authentication key S is used as a decryption key to decrypt C1.
(4) First device 11 compares the decryption result RR1 with the random nurber R1 temporarily stored inside first device 11. If they match, first device 11 considers second device 12 to be in possession of the same authentication key S, and confirms the entity in communication as a legitimate device. However if they do not match, then it judges the entity in communication an unauthorized device and terminates the process.
(5) After first device 11 authenticates second device 12 as legitimate, it transmits the copyrighted material along the line of communication.
In the event that a third party which did not possess the authentication key S was connected to the line of communication in the place of the second device 12, then this tertiary device would not be able to construct data of the correct value C1 in step (2), and as a consequence the results of decryption RR1 in step (3) would not match. Because of this, first device 11 would not transfer the copyrighted material to the third party in step (4).
However, if the same challenge data and response data is always used between first device 11 and second device 12, then it would be possible for a tertiary device with this knowledge to impersonate the second device 12. In order to avoid this first device 11 sends different challenge data (random numbers) each and every time.
Prior Arts #2
Incidentally, the example of prior art #1 would still permit forged data stored in a hard disc device to be unlawfully transmitted to second device 12 in possession of the legitimate authentication key. To fix this problem, it becomes necessary for second device 12 to confirm the legitimacy of first device 11 at the same time first device 11 confirms the legitimacy of second device 12.
It is also possible to intercept the data from the line of communication while it was being transmitted to second device 12, extract the data from the line or communication, and store it into for example, a hard disc unit. Of course this requires a knowledge of the electronic specifications of the signals on the line of communication and the data protocol, but since this information is not normally kept secret, there is a real danger of the copyrighted material being extracted. Because of this, authentication is not enough, to that it is also necessary to encrypt transmitted communications by distributing a randomly generated key to both devices and using that key to encrypt the copyrighted material. Hereinafter, the secret key for encrypting data of the transmitted copyrighted material is referred to as the data transfer key.
Below is an explanation of Prior Art #2, which expands on the unilateral authentication of Prior Art #1, and which conducts mutual authentication, distribution of the data transfer key, and encrypted communication.
FIG. 2 shows an example of a device which realizes mutual authentication.
FIG. 2 shows the case when the digital copyrighted material mj is transmitted from first device 21 to second device 22 after being encrypted.
Below is a description of the conventional mutual authentication method and the operations for distributing the data transfer key following the numbered steps shown in the diagram.
(1) First device 21 generates random number R1. This represents the first challenge data. Then this is sent through the line of communication to second device 22.
(2) Second device 22 generates random number R2, and creates combined data R1.parallel.R2 by combining R2 with the random number R1 received from first device 21. Here the symbol .parallel. means that the data from both numbers are lined up by place. Second device 22 encrypts this combined data R1.parallel.R2 with the authentication key S as the encryption key, and transmits the encrypted text C1 to first device 21.
(3) First device 21 decrypts the encrypted text received from second device 22 using the authentication key S as the decryption key. The separated data in the upper position is called RR1, and the separated data in the lower position is called RR2.
(4) First device 21 compares the separated data RR1 with the random number R1 temporarily stored in first device 21. If these match then the entity in communication is judged to be a legitimate device in possession of the authentication key S. If these do not match, the authentication process is terminated.
(5) First device 21 generates random number K and sets this as the data transfer key K. First device 21 combines obtained separated data RR2 with the data transfer key K, encrypts this combined data RR2.parallel.K with the authentication key S to make encrypted text C2, and transmits this to second device 22.
(6) Second device 22 uses authentication key S to decrypt the encrypted text C2 received from first device 21. The separated data in the upper position is RRR2, and the separated data in the lower position is KK.
(7) Second device 22 compares the separated data RRR2 with the random number KK temporarily stored in first device 21. If these match then the communication entity is judged to be a legitimate device in possession of the authentication key S. If these do not match, the authentication process is terminated. Meanwhile, after decryption the separated data KK is set as data transfer key KK.
(8) First device 21 encrypts the digital copyrighted material using the data transfer key K, and transmits this to second device 22 along the line of communication.
(9) Second device 22 decrypts this using the data transfer key KK, and acquires the digital copyrighted material.
If the first device 21 is in possession of the legitimate authentication key, and the second device 22 is not in possession of the legitimate authentication key, first device 21 judges the entity in communication to be lacking the legitimate authentication key in step (4), and can terminate the process. Likewise, if second device 22 was in possession of the legitimate authentication key while first device 21 was not, then second device 22 judges the entity in communication to be lacking the legitimate authentication key in step (7), and can terminate the process. By doing so the digital copyrighted material can be prevented from passing both to an unauthenticated device from an authenticated one, and from an unauthenticated device to an authenticated one.
Also, the digital copyrighted material could be electronically copied and stored in an electronic storage device once the digital copyrighted material is transmitted through the line of communication in step (8) after the authentication process is complete when both first device 21 and second device 22 are in possession of the legitimate authentication key. However, even if this were to happen, the digital copyrighted information is encrypted, thus becoming meaningless digital data. The original digital copyrighted material is, therefore, effectively protected.
Consequently, in order for the mutual authentication method using encryption techniques to be successful, it becomes a necessary condition that the authentication key loaded into first device 21 and second device 22 will not be easily understood by someone trying to steal the data. It is also necessary for the random number generator for the challenge data and the generator for data transfer key K to be inaccessible and unchangeable.
The most effective method of securing the confidentiality of these structural components is the implementation of the components which perform authentication, distribution of the data transfer key, and encrypted communication in an integrated circuit. Normally, extensive effort is required to analyze an IC, so authentication keys and the like will not be deciphered very easily.
In order to make the first device 21 of prior art #2 into an IC, such an IC (hereafter referred to as encryption IC) must be fitted with the following parts:
A random number generator to generate random number R1 PA1 A decryption unit to decrypt the encrypted text C1 PA1 A part to store authentication key S PA1 A comparison unit to compare random number R1 with separated RR1 PA1 A random number generator for generating data transfer key K PA1 An encryption part for combining separated data RR2 with the data transfer key K and encrypting them PA1 A part to store data transfer key K PA1 An encryption part to encrypt the digital copyrighted material using data transfer key K. PA1 a second data transfer key generation unit for generating the data transfer key by combining the first random number obtained by the first decryption unit with the second random number generated by the second random number generation unit, PA1 wherein the transmitter further includes a fourth encryption unit for encrypting transfer data using the data transfer key generated by the first data transfer key generation unit; and a fourth transmission unit for transmitting the encrypted transfer data to the receiver, and wherein the receiver also includes a fourth receiving unit to receive the encrypted transfer data from the transmitter; and a fourth decryption unit for decrypting the encrypted transfer data using the data transfer key generated by the second data transfer key generation unit.
Second device 22 also requires a similar amount of hardware as listed above.
By making the prior authentication method possible through ICS, numerous functions, such as two random number generators and two converters (decryption unit and encryption unit), become necessary. Therefore, there is the problem of the circuit scale increasing, eventually leading to an increase in the cost of the device.
Also, in prior art #2 the data transfer key K for encrypting data is generated by first device 21, but due to the same reason that mutual authentication is necessary, it is preferable for the key to reflect values that have been generated by both devices.
As stated above, the ideal method for protecting the line between devices is one which seals the functions of authentication and their secret information in an IC. However, to do this using the prior method of equipping a single PC with all the parts for mutual authentication, the distribution of the data transfer key, and the encryption makes the size of the IC very large, and leads to an increase in cost.